ID: 42310 Updated by: [EMAIL PROTECTED] Reported By: astalor at gmail dot com -Status: Open +Status: Feedback Bug Type: Session related Operating System: ALL PHP Version: 5.2.4RC1 New Comment:
Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi Previous Comments: ------------------------------------------------------------------------ [2007-08-15 13:28:54] astalor at gmail dot com Description: ------------ If you put invalid symbol in the session ID and PHP warnings are turned on you can retrieve information about files and paths on the server and also in some cases the configured session.save_path variable from PHP.INI, this can display warnings (and sometimes break pages that count on redirection with header()) on pages that are perfectly correct and without any errors in them. Reproduce code: --------------- <?php /* This script check if PHP warnings are enabled for the targeted website */ function checkWarnings($url) { $ch = curl_init (); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT, 2); curl_setopt($ch, CURLOPT_COOKIE,"PHPSESSID=\0"); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER , 1); $output = curl_exec($ch); curl_close($ch); preg_match_all("/<b>Warning<\/b>:(.*)<br \/>/i",$output,$match); preg_match_all("/session.save_path is correct \((.*)\)/i",$output,$path); #echo $output; echo "<pre>"; echo "Checking <b>$url</b>\n"; if (count($match[0]) > 0) { echo "<b>Warnings found</b>:\n"; echo implode("\n",$match[0]); } else { echo "Warning are <b>disabled</b>\n"; } if ($_GET['debug'] == 1) { echo "<b>Displaying page:</b>\n"; echo $output; } #print_r($path); } checkWarnings($_GET['url']); ?> Expected result: ---------------- Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/user/public_html/main/file.php on line 32 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Actual result: -------------- the same as the expected result, as long as the PHP warning are enabled ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42310&edit=1